Searching for Objects
The LDP utility is very useful for searching and filtering on specific objects if you understand its query syntax.
When you click Search on the Browse menu, a dialog box is displayed in which you can set the Base DN, Filter, and Scope settings for your query.
The Base DN setting defines where in the directory tree the search begins. If you use the file system folder analogy, the Base DN setting defines the subfolder at which the search begins. The most commonly used base DN for an Active Directory search is the CN=Users,DC=.... container.
NOTE: You can cut and paste from RootDSE information or other results information to avoid typing long base DN values.
The Scope setting determines how far down in the directory tree to search. By default, the Scope is set to One Level, which is like searching the current folder in a file system. A one level search does not include the base DN object itself. To see the attributes of the base DN object, you must set the Scope to Base, or double-click the Base object in the directory tree view. If you set the Scope to Subtree, it is like searching the current folder and all of the subfolders of a file system.
The Filter box allows you to construct queries. The following table lists the most commonly used LDAP query operators.
& logical and
| logical or
! logical not
= equal to
~= approximately equal to
>= equal to or greater than
<= less than or equal to
Most people find that the syntax of LDAP queries takes some getting used to, because operators are usually placed before rather than between operands. If an LDAP query expresses 2 + 2 = 4, it is written (+(2)(2)) = 4.
All of the query filters are enclosed by opening and closing parentheses. Complex filters often contain several nested levels of parentheses. You must be sure that you supply all of the required parentheses, or your search does not work.
The logical AND and OR operators always refer to two or more search terms, and are placed before the terms that they affect. A simple visual rule may help you use AND and OR correctly; AND and OR should always be immediately followed by an open parenthesis, rather than placed directly next to an attribute name.
For example, if you want to search for all of the users who have first names of John AND last names of either Smith OR Jones, the filter is similar to the following:
(&(objectClass=user)(givenName=John)(|(sn=Smith)(sn=Jones)))
The ! sign (the NOT operator) can be applied to a single term, as in the following example:
(&(objectClass=user)(sn=Jones)(!givenName=John)(!givenName=Jane)(!logonCount<=100))
The above filter finds users who have the surname Jones whose given name is neither John nor Mary and who have logged on no less than 101 times.
Queries also support asterisk wildcards. The following search returns all of the users who have surnames that start with the letter J:
(&(objectClass=user)(sn=j*))
The LDP utility searches are not case sensitive, and you can search by using leading and trailing asterisks (*string*) to find substrings in the middle of a value. Such searches take much longer to complete. When possible, use either a leading or trailing wildcard character, but not both.
You can use a wildcard by itself to test for the existence or absence of a given attribute. If you want to find all of the users who do not have an Exchange Server mailbox, you can find them by using the following query because these users lack an msExchHomeServerName value:
(&(objectClass=user)(!msExchHomeServerName=*))
The escape character in a query is the backslash (\). This is a reserved character, along with * ( ) and NUL. To search for reserved characters as part of an attribute value, you must precede the reserved characters with the escape character and one of the following numeric codes for each reserved character:
* 2a
( 28
) 29
\ 5c
NUL 00
For example, if you want to search for all of the users whose display names end in a close parenthesis character, use the following search:
(&(objectClass=user)(displayName=*\29))
If you want to find users whose home directories are G:\Accounting, use the following search:
(&(objectClass=user)(home-directory=G:\5cACCOUNTING*))
In an LDAP query, a backslash always signifies an escape character, never an actual backslash.
If you are interested in only a particular attribute or few attributes, you can filter the rest so that they are not displayed in the results window by clicking Options in the Search dialog box. In Options, list the attributes that you want to be displayed, and separate each with a semicolon. For example:
msExchHomeServerName;DisplayName;Home-Directory;
If you leave the Attributes list blank or if it is an asterisk, all of the attributes to which you have access are displayed for every object returned by a query.
NOTE: The LDP utility does not separate the objects that are returned by a query with a blank line. When you look through search results, look for the leading >> characters to indicate the beginning of the next object in the list.